Florindo Gallicchio

Florindo Gallicchio is a Managing Director at NetSPI and serves as a strategic advisor to executives, boards of directors, and technology staff. He is a senior risk management and information security practitioner with extensive experience in building and running cyber security programs to securely manage the business while also achieving and maintaining compliance to regulatory and industry requirements. Prior to joining NetSPI, Florindo was the CISO at a global advisory investment firm in New York City. He began his career with the National Security Agency while serving in the U.S. Navy, where in ten years of service he worked in signals and communications intelligence collection and systems exploitation.
More by Florindo Gallicchio
WP_Query Object
(
    [query] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "71"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "71"
                            [compare] => LIKE
                        )

                )

        )

    [query_vars] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "71"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "71"
                            [compare] => LIKE
                        )

                )

            [error] => 
            [m] => 
            [p] => 0
            [post_parent] => 
            [subpost] => 
            [subpost_id] => 
            [attachment] => 
            [attachment_id] => 0
            [name] => 
            [pagename] => 
            [page_id] => 0
            [second] => 
            [minute] => 
            [hour] => 
            [day] => 0
            [monthnum] => 0
            [year] => 0
            [w] => 0
            [category_name] => 
            [tag] => 
            [cat] => 
            [tag_id] => 
            [author] => 
            [author_name] => 
            [feed] => 
            [tb] => 
            [paged] => 0
            [meta_key] => 
            [meta_value] => 
            [preview] => 
            [s] => 
            [sentence] => 
            [title] => 
            [fields] => 
            [menu_order] => 
            [embed] => 
            [category__in] => Array
                (
                )

            [category__not_in] => Array
                (
                )

            [category__and] => Array
                (
                )

            [post__in] => Array
                (
                )

            [post__not_in] => Array
                (
                )

            [post_name__in] => Array
                (
                )

            [tag__in] => Array
                (
                )

            [tag__not_in] => Array
                (
                )

            [tag__and] => Array
                (
                )

            [tag_slug__in] => Array
                (
                )

            [tag_slug__and] => Array
                (
                )

            [post_parent__in] => Array
                (
                )

            [post_parent__not_in] => Array
                (
                )

            [author__in] => Array
                (
                )

            [author__not_in] => Array
                (
                )

            [ignore_sticky_posts] => 
            [suppress_filters] => 
            [cache_results] => 
            [update_post_term_cache] => 1
            [lazy_load_term_meta] => 1
            [update_post_meta_cache] => 1
            [nopaging] => 1
            [comments_per_page] => 50
            [no_found_rows] => 
            [order] => DESC
        )

    [tax_query] => WP_Tax_Query Object
        (
            [queries] => Array
                (
                )

            [relation] => AND
            [table_aliases:protected] => Array
                (
                )

            [queried_terms] => Array
                (
                )

            [primary_table] => wp_posts
            [primary_id_column] => ID
        )

    [meta_query] => WP_Meta_Query Object
        (
            [queries] => Array
                (
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "71"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "71"
                            [compare] => LIKE
                        )

                    [relation] => OR
                )

            [relation] => OR
            [meta_table] => wp_postmeta
            [meta_id_column] => post_id
            [primary_table] => wp_posts
            [primary_id_column] => ID
            [table_aliases:protected] => Array
                (
                    [0] => wp_postmeta
                )

            [clauses:protected] => Array
                (
                    [wp_postmeta] => Array
                        (
                            [key] => new_authors
                            [value] => "71"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                    [wp_postmeta-1] => Array
                        (
                            [key] => new_presenters
                            [value] => "71"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                )

            [has_or_relation:protected] => 1
        )

    [date_query] => 
    [request] => SELECT   wp_posts.* FROM wp_posts  INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id ) WHERE 1=1  AND ( 
  ( wp_postmeta.meta_key = 'new_authors' AND wp_postmeta.meta_value LIKE '{e9db2ef5312c0c3b521569bcc5066fc7b56a17178e8c17d8f28e0ed2cfada315}\"71\"{e9db2ef5312c0c3b521569bcc5066fc7b56a17178e8c17d8f28e0ed2cfada315}' ) 
  OR 
  ( wp_postmeta.meta_key = 'new_presenters' AND wp_postmeta.meta_value LIKE '{e9db2ef5312c0c3b521569bcc5066fc7b56a17178e8c17d8f28e0ed2cfada315}\"71\"{e9db2ef5312c0c3b521569bcc5066fc7b56a17178e8c17d8f28e0ed2cfada315}' )
) AND wp_posts.post_type IN ('post', 'webinars') AND ((wp_posts.post_status = 'publish')) GROUP BY wp_posts.ID ORDER BY wp_posts.post_date DESC 
    [posts] => Array
        (
            [0] => WP_Post Object
                (
                    [ID] => 26220
                    [post_author] => 71
                    [post_date] => 2021-08-17 15:48:00
                    [post_date_gmt] => 2021-08-17 20:48:00
                    [post_content] => 

NetSPI managing director Florindo Gallicchio wrote an article that was featured in the August 2021 issue of Cyber Defense Magazine:

There’s no doubt about it: attack surfaces grow and evolve around the clock. With network configurations, new tools and applications, and third-party integrations coming online constantly, an atmosphere is being created that opens the possibility of unidentified security gaps. The fact is that cyberattacks can affect your business and are, unfortunately, more prevalent than natural disasters and extreme weather events. And we know from our own NetSPI research that nearly 70 percent of security leaders are concerned about network vulnerabilities after implementing new security tools.

Prevention is key to a mature cybersecurity program. In fact, according to a recent Ponemon Institute study, when cybersecurity attacks are prevented, organizations can save resources, costs, damages, time, and reputation. Yet, companies still may think they are protected by buying the latest cybersecurity technologies or just by working to change team behaviors that pose the most risk (i.e., using stronger passwords, avoiding phishing scams, etc.). While there is a place in a security program for these and other security measures, time and budget constraints create major barriers. Therefore, it is critical that an organization’s vulnerability management program is strongly built on a strategy that is risk-based and business aligned.

Florindo's article can be found on pg. 74 of the August Issue of Cyber Defense Magazine. Download the issue online here: https://cyberdefensemagazine.tradepub.com/free/w_cyba125/.

[post_title] => Cyber Defense Magazine: Align Business Logic with Vulnerability Management to Mature Your Security Program [post_excerpt] => NetSPI managing director Florindo Gallichio wrote an article that was featured in the August 2021 issue of Cyber Defense Magazine. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cyber-defense-magazine-align-business-logic-with-vulnerability-management-to-mature-your-security-program [to_ping] => [pinged] => [post_modified] => 2021-08-18 12:06:04 [post_modified_gmt] => 2021-08-18 17:06:04 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26220 [menu_order] => 8 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 24940 [post_author] => 71 [post_date] => 2021-04-20 07:00:00 [post_date_gmt] => 2021-04-20 07:00:00 [post_content] =>

Unless you’re Pfizer, Moderna, or Johnson & Johnson, you may not consider your biotech or pharmaceutical organization a lucrative target for cyberattacks as COVID-19 vaccine production and distribution ramps up. However, it is important to note that the larger, well known organizations in the vaccine pipeline are well funded and staffed and have the ability to prioritize cyber security - and sophisticated adversaries know this well. In turn, this makes smaller organizations involved in vaccine development, distribution, and administration a prime target.

Notably, we expect to see increased threat activity among the small to midsized biotech organizations that are collecting patient data or have access to vaccine research and development (R&D) information. Whether or not your organization is working directly or indirectly with the COVID-19 vaccine, there’s a lot to learn from the security concerns and activity to date. In this article, we explore the motivations for vaccine cyber security threats, reasons why biotech organizations should prioritize security, and pragmatic steps organizations can take now to proactively prepare for imminent attacks.

The vaccine security threat landscape

Cybercrime is known to increase amid chaos or crisis, when people are the most vulnerable. And the COVID-19 pandemic is certainly no exception. Large-scale data breaches increased 273 percent in the first quarter of 2020 versus 2019. The U.N. Security Council reported a massive 350 percent increase in phishing websites in the first quarter of 2020, many targeting hospitals and healthcare systems. And now, capitalizing on the vaccine rollout, the number of phishing attacks targeting the healthcare industry increased by 189 percent from December 2020 to February 2021.

There are three realistic motivations for adversaries as it pertains to vaccine security: 1) the theft of personal health data, 2) to compromise business systems, and 3) to access intellectual capital. To gain a better understanding of the threat landscape, let’s take a deeper look at each scenario.

To steal sensitive health data:

Protected health information (PHI) includes identifiable information in a person’s health data records, such as health details, date of birth, Social Security number, fingerprints, and even financial information. Given biotech firms are working with patients to develop and test vaccines in a medical setting, they are also responsible for managing and securing PHI. PHI can be used by adversaries for identity theft, medical fraud, access computer networks, and to learn more about the capabilities and processes of an organization for future large-scale attacks.

To access intellectual capital:

An approved vaccine is a very valuable source of intellectual capital. COVID-19 vaccine production data is extremely valuable today as the global race to administer vaccines continues. Biotech firms house a lot of intellectual capital, from R&D information to vaccine formulas to testing and drug trial data, making them a lucrative target. According to research from F5, “threat actors in this case are advanced cyber attackers, either working for or hired by nation states. This makes them the most capable and well-resourced threat that organizations could face.”

In early 2021, the European Medicines Agency (EMA), a regulatory agency tasked with vaccine assessments and approvals for the EU, found that hackers stole COVID-19 vaccine data belonging to Pfizer and BioNTech. Further, leveraging intellectual capital for misinformation is another key motivator. The data in the EMA breach had been leaked online only after manipulating the exfiltrated data to undermine public trust in the vaccine.

To compromise business systems:

Whether it’s a ransomware attack on a healthcare organization or an attack on the vaccine appointment scheduling software, adversaries could also aim to interfere with business operations in the vaccine pipeline. Biotech firms have a critical role to play in ensuring the security of its partners.

Third-party security is a major challenge for healthcare organizations - and one that is very relevant to vaccine rollouts. A 2020 survey of healthcare CISOs, CIOs, and other C-suite leaders discovered that four out of five organizations experienced a cybersecurity breach precipitated by a third-party vendor over the past year.

Right now, there are many third-parties working hand-in-hand with biotech firms to coordinate the rollout of the COVID-19 vaccine, from logistics and transportation to the on-site distribution locations. How can we ensure each organization involved follows the right security protocols? A recent example of a third-party breach attempt is the targeted attacks on cold storage company Americold and global firm Miltenyi Biotec. The companies were targeted with cyberattacks in an apparent attempt to disrupt the vaccine supply chain.

Making the case for cyber security in biotech, pharma, and other healthcare industries

We recently attended a webinar on medical device security presented by Kevin McDonald, a cyber security advisor for Mayo Clinic. At the end of the discussion Kevin highlighted the core drivers for security investments in healthcare: patient care, revenue loss, and public perception.

Above all, continuation of patient care is the end goal of all security activities in healthcare organizations. Security is put in place to not hinder the quality of care, but to ensure it can continue without interruption from adversaries.

Revenue loss and public perception are fairly self-explanatory for most healthcare organization, but there are some nuances regarding the biotech industry. The goal of many biotech firms is to raise funds and eventually get purchased, and according to Silicon Valley Bank, in 2020 acquisitions of biotech startups increased. If your organization experiences a security breach, your chances and/or valuation may decrease given the increased risk and the reputational damage created.

4 security activities to implement to proactively protect your assets

Once you’re aware of the most likely risks, it’s important to understand the steps you can take to proactively protect your organization and its sensitive data. To get started, here are four activities we recommend:

  • Red teaming: Red team operations allow you to test your security controls and processes for a specific target or goal, such as vaccine formulas or patient social security numbers. Hire a red team or equip your internal red team with the right tools to simulate the stealthy approach a real adversary would take.
  • Detective control testing: Correctly configured detective controls are vital to network security. Test your detective controls against the tactics, techniques, and procedures (TTPs) used by real-world attackers to ensure your layers of
    defense in depth are working as intended.
  • Internal network penetration tests: Given the increase in phishing attempts and the vulnerability of humans in a crisis scenario, it’s likely that sophisticated adversaries will inevitably find a way to access your network. This is where internal network penetration tests prove necessary. An internal network
    penetration test
    evaluates a network for security vulnerabilities and provides actionable recommendations for remediation. It allows an organization to discover where your internal network gaps are before an adversary does.
  • Continuous testing: Often it is the case that an organization’s attack surfaces are only evaluated via a penetration test on an annual basis. Implementing more
    frequent, lighter touch tests
    throughout the year, or when a new technology or partner is added to your infrastructure, helps teams stay up to date on any recently introduced vulnerabilities.
[post_title] => Vaccine Security is Not Exclusive to Pfizer, Moderna, and Johnson & Johnson: Here’s Why [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => vaccine-security-biotech [to_ping] => [pinged] => [post_modified] => 2021-05-06 19:54:49 [post_modified_gmt] => 2021-05-06 19:54:49 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=24940 [menu_order] => 49 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 23761 [post_author] => 71 [post_date] => 2021-03-23 07:00:59 [post_date_gmt] => 2021-03-23 07:00:59 [post_content] =>

In the first installment of my vulnerability management blog series, I discuss the pitfalls of not having a vulnerability testing and tracking strategy and the serious consequences of failing to recognize what is meaningful to the business. In part two of the series, I will expand on the idea of recognizing what is meaningful to the business and discuss the importance of business context in vulnerability management.

It sounds nebulous, and for good reason. From my observations over the years, I’ve heard claims that the best approach to cyber security is either 1) purchasing more technology to keep ahead of the latest vulnerabilities or 2) changing behaviors that pose the most risk, such as clicking on unknown links or using stronger passwords. While there is a place in a security program for these and other security measures, time and budget constraints create major barriers. Instead of asking, “which new technologies do we need to add to our security stack?” or “why isn’t my organization getting a perfect score on our phishing assessments?”, the most important question that needs to be asked is, “So what?”

“So what?” is arguably one of the most elemental and important criteria in any cybersecurity situation, from policy to technical security controls. The question forms the basis of nearly every security decision and requires alignment to core business objectives to be determined and applied before a direction is taken. Recognizing how each security decision impacts your business is vital. To understand the importance of “So what?” we must first understand its place in your cyber security strategy.

Strategy is another concept that can mean different things to different people, in part because there is not a standard approach to cyber security program development. Each business has different security needs. As security leaders, we address the threats that pose imminent and perceived harm to the environment, and those that get noticed most, get attention first. And understandably so, given the ever-advancing threats companies face. Often is the case, however, that what is considered harmful to the environment is not always rooted in what is most important, or what poses the most risk to a business. That is where a business-aligned vulnerability management program comes into play.

How to Achieve a Business-Aligned Vulnerability Management Program

A business-aligned vulnerability management program takes into consideration the vulnerabilities that would have the most significant, negative impact on the business, the most relevant threats that could exploit those vulnerabilities, how to remediate, as well as the controls needed to counter those threats. Such a strategy is built on a framework that enables, implements, and maintains the program and informs all security initiatives, controls, and processes.

Once a business-aligned vulnerability management program is in place, we can ask, “So what?” when considering a potential risk, a discovered vulnerability, a detected event, a proposed initiative, or virtually any other consideration affecting security posture. Let’s look at a few hypothetical vulnerability findings:

Vulnerability FindingSo What?Remediation Recommendations
Poor Administrator Account PasswordAttacker can gain access to and steal data. Poses enterprise risks to information, business operations, regulatory compliance, and business reputation. Regulatory non-compliance leading to financial sanctions. Legal action by affected customers leading to financial reparations.Change the admin password. Strengthen the admin password. Use multifactor authentication. Use “zero trust” access model. Purchase technology to enhance identity and access controls. Conduct vulnerability testing more often.
Vulnerable Version - PHPSuccessful exploitation of available vulnerabilities may allow a remote unauthenticated attacker to execute arbitrary commands directly or indirectly on the affected systems. As a result, the confidentiality, integrity, and availability of the affected systems and associated data may be compromised.Disable or uninstall PHP if it is not required for a defined business purpose. If PHP is required, upgrade to the latest stable version of the software or apply vendor supplied patches. If no fix is available, contact the vendor for solutions and consider isolating the affected service via host based and network firewalls.
SQL InjectionSQL injection may allow an attacker to extract, modify, add, or delete information from database servers, causing the confidentiality and integrity of the information stored in the database to be compromised.Depending on the SQL implementation, the attacker may also be able to execute system commands on the affected host. In some circumstances, this provides the means to take control of the server hosting the database, leading to the complete compromise of the confidentiality, integrity, and availability of the affected host.Employ a layered approach to security that includes using parameterized queries when accepting user input. Strictly define the data type that the application will accept. Also, disable detailed error messages that could give an attacker information about the database. Additionally, following the principle of least privilege when assigning permissions for the service account and database user helps limit the impact of a successful SQL injection attack.

Eliminate the “So what?” column and it becomes difficult to choose which vulnerability to prioritize. Taking these examples further, we can use this same strategy to determine what the ramifications are for conducting certain types of vulnerability scans, from the resources needed to conduct the test to the large number of vulnerability instances that will require analysis. For example, if you target scans to detect just the vulnerabilities that pose a significant answer to “So what?” or in other words, has a major impact on the business, you can focus your resources – people, time, money – on the meaningful measures to manage risk to the business.

This is all ties back to risk-based security. By now, the security industry understands why risk-based security strategies are more effective than compliance-based strategies, but are often challenged as to how to make the shift. To mature your security program and achieve a risk-based strategy, it is essential to align business logic with vulnerability management and prioritize the vulnerabilities that pose the highest risk specific to your business.

[post_title] => “So What?” – The Importance of Business Context in Vulnerability Management [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => so-what-the-importance-of-business-context-in-vulnerability-management [to_ping] => [pinged] => [post_modified] => 2021-04-14 17:24:07 [post_modified_gmt] => 2021-04-14 17:24:07 [post_content_filtered] => [post_parent] => 0 [guid] => http://www.netspi.com/?p=23761 [menu_order] => 55 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [3] => WP_Post Object ( [ID] => 21092 [post_author] => 71 [post_date] => 2021-01-04 07:00:56 [post_date_gmt] => 2021-01-04 07:00:56 [post_content] => On January 4, 2021, NetSPI Managing Director Florindo Gallicchio was featured in SC Magazine: The pandemic transformed the workforce for organizations across all verticals, with employees quickly and unexpectedly transitioned from offices to working from home. The new year brings more complications. Vaccine distribution could mean a return to offices, but most experts expect a new hybrid model to emerge. Pile that on top of the already challenging situation posed by a supposed skills gap and efforts to improve diversity, and 2021 will introduce an array of workforce shifts across the community. As part of our year in review, which looked at critical events during the last year and how they might influence 2021, SC Media collected predictions across a range of categories from cybersecurity experts. Here, experts offer their perspectives on the 2021 cyber workforce.  There will continue to be more security jobs than people to fill the roles, says Florindo Gallicchio, managing director at NetSPI: “Security leaders will be challenged by filling roles that require candidates with mid- to senior- level experience – and entry level job openings will continue to be in high demand. Because of this, companies will need to do more with fewer people. This will result in increased adoption of program-level partnerships with third parties or using vendors to fill in-house positions at scale.” Read the full article here: https://www.scmagazine.com/home/year-in-review/from-diversity-efforts-to-pandemic-recovery-workforce-issues-will-evolve-in-2021/ Click here for all of Florindo's cyber security predictions [post_title] => SC Magazine: From diversity efforts to pandemic recovery, workforce issues will evolve in 2021 [post_excerpt] => On January 4, 2021, NetSPI Managing Director Florindo Gallicchio was featured in SC Magazine. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => sc-magazine-from-diversity-efforts-to-pandemic-recovery-workforce-issues-will-evolve-in-2021 [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:28:37 [post_modified_gmt] => 2021-04-14 05:28:37 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=21092 [menu_order] => 76 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [4] => WP_Post Object ( [ID] => 21086 [post_author] => 71 [post_date] => 2020-12-30 07:00:52 [post_date_gmt] => 2020-12-30 07:00:52 [post_content] => On December 30, NetSPI Managing Director Florindo Gallicchio was featured in SC Magazine: As companies of all sizes prepare for more challenges tied to the pandemic, as well as an expected transition to a permanent hybrid workforce, security plans will need to adapt. So what kind of strategic shifts might we see in 2021? More sophisticated phishing campaigns will probably mean enhanced email security. Digital identities may grow more appealing. And a surge in M&A could introduce new security considerations. At least, that’s some of what we heard from the experts. As part of our year in review, which looked at critical events during the last year and how they might influence 2021, SC Media collected predictions across a range of categories from cybersecurity experts. Here, the cyber community reads the tea leaves on evolving strategies of the enterprise. Security budgets are not necessarily going to increase but will be reprioritized, says Florindo Gallicchio, managing director at NetSPI: “More dollars will be specifically allocated to cloud security budgets due to the prolonged and, in many cases permanent, remote work opportunities – in other words, a distributed workforce. One exception to stagnant budgets is regulatory drivers. Certain states (e.g. California) and industries (e.g. health care) may need to increase budgets to comply with new or changing regulatory expectations.” Read the full article here: https://www.scmagazine.com/home/year-in-review/2021-strategy-predictions-shifts-in-business-models-shifts-in-security-priorities/ Click here for all of Florindo's cyber security predictions [post_title] => SC Magazine: 2021 strategy predictions: Shifts in business models, shifts in security priorities [post_excerpt] => On December 30, NetSPI Managing Director Florindo Gallicchio was featured in SC Magazine. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => sc-magazine-2021-strategy-predictions-shifts-in-business-models-shifts-in-security-priorities [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:29:18 [post_modified_gmt] => 2021-04-14 05:29:18 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=21086 [menu_order] => 77 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [5] => WP_Post Object ( [ID] => 20783 [post_author] => 71 [post_date] => 2020-12-28 07:00:07 [post_date_gmt] => 2020-12-28 07:00:07 [post_content] => On December 28, NetSPI Managing Director Florindo Gallicchio was featured in SC Magazine: What might 2021 bring in term of technology? Community and market experts found consensus on a few areas. First, cloud security will dominate strategies and investments even more that it did during 2020, as organizations big and small go all in on digital transformation. And second, technologies once deemed “on the horizon” – think automation, 5G and even the much hyped artificial intelligence – will officially arrive. SC Media collected predictions across a range of categories from cybersecurity experts. Here we give you the tech roundup. Check back during the next couple of weeks to see community predictions for the threat landscape, strategic priorities, and privacy policy. Automation continues to be a priority, but human context will be the key to security program management and success, says Florindo Gallicchio, managing director at NetSPI: “By now, we all understand the value automation brings to any security tool. Yet, in 2021, the human element will be pushed to the forefront of security innovation, specifically for our intellect and ability to add context to security findings. Contextualizing security findings will be an invaluable tool to boost remediation efforts in the new year, as the number of vulnerabilities remains exponential and context is key to helping us prioritize.” Read the full article here: https://www.scmagazine.com/home/year-in-review/2021-tech-predictions-the-conceptual-gets-real/ Click here for all of Florindo's cyber security predictions [post_title] => SC Magazine: 2021 tech predictions: The conceptual gets real [post_excerpt] => On December 28, NetSPI Managing Director Florindo Gallicchio was featured in SC Magazine. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => sc-magazine-2021-tech-predictions-the-conceptual-gets-real [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:29:24 [post_modified_gmt] => 2021-04-14 05:29:24 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=20783 [menu_order] => 78 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [6] => WP_Post Object ( [ID] => 20716 [post_author] => 91 [post_date] => 2020-12-15 09:41:57 [post_date_gmt] => 2020-12-15 09:41:57 [post_content] =>

As we write this post, you’ve likely heard about the FireEye and U.S. government agency breaches that occurred over the past week. We know now the breaches have been linked back to a supply chain attack on the SolarWinds Orion Platform, a software platform that manages IT operations and products for over 300,000 organizations, including over 425 of the Fortune 500, all ten of the top U.S. telecommunications companies, all five branches of the U.S. Military, all five of the top U.S. accounting firms, and many, many more.

While FireEye, the U.S. Treasury, and National Telecommunications and Information Administration (NTIA) were the first to report a security breach, the breadth of SolarWinds’ customer base is an indicator that the breaches are seemingly the tip of the iceberg.

For the sake of information sharing, here is an overview of the attacks, immediate steps you can take to identify whether you have fallen victim, and tips for protecting your organization as communicated by FireEye, SolarWinds, and NetSPI. For the full technical deep-dive, we highly recommend the FireEye blog post.

Overview: SolarWinds Orion Manual Supply Chain Attack

On December 13, SolarWinds issued a security advisory alerting to a manual supply chain attack on its Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020.

FireEye discovered the attack and suggests it is a state-sponsored global intrusion campaign by a group named UNC2452 - though many industry experts are attributing the attack to APT29, a group of hackers associated with the Russian Foreign Intelligence Service.

  • Attack Origin: UNC2452 gained access to victims via trojan-based updates to SolarWinds’ Orion IT monitoring and management software, distributing malware called SUNBURST. Multiple trojanized updates were digitally signed and subsequently deployed via this URL: hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574 /SolarWinds-Core-v2019.4.5220-Hotfix5.msp. The downloaded file is a standard Windows Installer Patch file, which includes the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component.
  • How It Works: The digitally signed SolarWinds.Orion.Core.BusinessLayer.dll file is a component of the Orion Improvement Program (OIP) software framework that contains a backdoor that communicates with third party servers via the HTTP protocol. The malicious DLL gets loaded into the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe executables and can run dormant for up to two weeks before beaconing to a subdomain of avsvmcloud[.]com. To avoid possible detection, the C2 traffic between the beaconing server and the victim is made to resemble legitimate SolarWinds communications. This includes HTTP GET, HEAD, POST and PUT requests with JSON payloads in their bodies. The HTTP responses from the C2 server communicating with the victim contain XML data that resembles .NET assembly data used for normal SolarWinds operations. Within the XML, however, is obfuscated command information that is deobfuscated and then executed by the SolarWinds process on the victim’s system.
  • Impact/Result: Following the initial compromise and deployment of SUNBURST, a variety of more capable payloads can be deployed to facilitate lateral movement and data theft. Common payloads include TEARDROP and Cobalt Strike BEACON, both of which can be loaded into memory to improve stealth of operations.

Known breaches include:

FireEye: On December 8, FireEye communicated a state-sponsored security breach through which the attackers accessed FireEye’s Red Team assessment tools used to test customers’ security. Following the breach, the company made its list of countermeasures public. FireEye has now confirmed that this attack was a result of the SolarWinds Orion supply chain attack.

U.S. Treasury and the National Telecommunications and Information Administration (NTIA): On December 13, Reuters reported that Russian-associated hackers broke into the U.S. Treasury and Commerce department’s Microsoft 365 software and have been monitoring internal email traffic. Following a National Security Council meeting at the White House over the weekend, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive for all federal agencies to power down SolarWinds Orion.

Organizations are frantically working to figure out if they have been a victim of the attack and how to protect themselves. Here are the immediate steps to take, according to SolarWinds, FireEye, and NetSPI’s team of offensive security experts:

  1. First, determine if SolarWinds Orion is deployed within your environment. If unsure, NetSPI recommends performing a network scan to identify the Orion agent. For example, this can be performed with Nmap by running: nmap --open -sT -p 17778,17790 x.x.x.x/xx, where x.x.x.x is the network address and xx is the subnet mask. If the Orion agent is found, follow SolarWinds’ recommendations.
  2. SolarWinds recommends customers upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible. It also asks customers with any of the products listed on the security advisory for Orion Platform v2019.4 HF 5 to update to 2019.4 HF 6. Additional suggestions can be found in the security advisory. While upgrading Orion will prevent future backdoored deployments from occurring, it will not remediate the potentially infected deployments that have already taken place via the Orion Platform.
  3. Additionally, FireEye provides a list of recommendations including its signatures to detect this threat actor and supply chain attack. Specific details on the YARA, Snort, and ClamAV signatures can be found on FireEye’s public GitHub page.

Get in Touch: To connect with NetSPI for support with testing efforts related to the SolarWinds Orion attack, email info@NetSPI.com.

[post_title] => FireEye, SolarWinds, U.S. Treasury: What’s Happening in the Cyber Security World Right Now? [post_excerpt] => As we write this post, you’ve likely heard about the FireEye and U.S. government agency breaches that occurred over the past week [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => fireeye-solarwinds-us-treasury-whats-happening-in-the-cyber-security-world-right-now [to_ping] => [pinged] => [post_modified] => 2021-05-04 17:03:39 [post_modified_gmt] => 2021-05-04 17:03:39 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=20716 [menu_order] => 79 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [7] => WP_Post Object ( [ID] => 20478 [post_author] => 71 [post_date] => 2020-12-01 07:00:19 [post_date_gmt] => 2020-12-01 07:00:19 [post_content] =>

I should have known better.

Eleven-some thousand findings, struggling inexorably to transform from scanner output to csv format. It was too late; the scanner tool was on a mission to dump megabytes of data into a spreadsheet and there was nothing I could do to cancel it.

As I sat there staring at the progress counter slowly creep upward, I questioned my life choices up until that point. I’ve been a security practitioner my entire adult life. I’ve (legally) stolen troves of data in many forms. I’ve discovered untold thousands of vulnerabilities in my penetration testing days, most of which didn’t amount to much; inconsequential findings that did not correlate to any meaningful risk to the organization I was testing. I’ve always weighed more the vulnerabilities I knew would net the golden ring, whether it was unauthorized access to sensitive data, privileged access to a network or system, or whatever prize the vulnerability du jour led to.

And yet there I was, wondering what made me even look for that many vulnerabilities. For some reason I enabled all vulnerability checks in the scanner configuration. The scanner categorized most of the findings as “information,” usually mundane tidbits of data more suited for asset inventories than vulnerability management. Of those 11,000 findings, maybe 25 were categorized as high risk, and maybe a few hundred or so as medium risk. After some threat modeling and other consideration, it turned out there were maybe five relevant vulnerabilities that required prioritized action. All those informational findings? No need to worry about those.

Except one. And man, it was a killer.

It was a simple thing, really. The scanner identified something my team and I had taken great pains to disable long ago. I was confident – arrogantly so! – that it was disabled, so I didn’t bother checking the scanner output to see if it was suddenly active again.

I think you can see where this is going.

It wasn’t until later during an internal audit that I discovered I made the mistake of not propagating my vulnerability management strategy wide enough to encompass a critical process in our security program framework: to periodically validate everything that could have the most adverse effect on the business. Thankfully, it was discovered internally but let’s be honest, nobody enjoys internal auditors finding anything at all, much less something significant.

To be fair, how do you sift through 11,000 findings to determine which are important? You don’t. At least, it certainly isn’t using spreadsheets, arguably the most common method of tracking vulnerabilities. Spreadsheets are the devil. Dumping vulnerability data into them leads to headaches and doesn’t provide the kind of tools needed to manipulate and correlate the data to produce meaningful outcomes in managing the vulnerabilities. And besides, it’s unnecessary. This entire approach is inefficient and ultimately unnecessary.

A Scanner is not the Equivalent of a Vulnerability Management Program

The truth is, many organizations consider vulnerability management to be running a scanner with all the checks turned on, and then addressing the high-risk findings. In my experience, this bottom-up approach presents a few problems:

  • Scanner policy configurations are not one-size-fits-all. When set to scan for all possible technology vulnerabilities, the scanner can produce an enormous amount of noise in which meaningful vulnerabilities may be missed or ignored. This “spray and pray” method creates more confusion and eventually apathy toward purposeful vulnerability analysis.
  • Similar vulnerabilities can pose drastically different risks. A discovered open share on a file server containing HR data may be categorized by a scanner as medium risk, but the actual risk to the business is high or even critical. A discovered open share on a print controller containing fonts or no files at all may also be categorized as medium risk but in fact is a low risk to the business. Without the proper context an organization may treat these two findings as equal and expend the same time and effort (cost) in addressing both when they do not merit equal treatment.
  • Measured improvements in security maturity are an expensive undertaking. The costs in terms of money, time, and effort can skyrocket if guardrails aren’t applied to focus the process on specific goals, otherwise it is a continuous game of catching up each time a vulnerability scan is run.

The key is to understand the risks most likely to disrupt the business from meeting its objectives, identify the threats that would cause and amplify those risks, and select the controls most appropriate for managing those threats. The controls should then be regularly measured and audited to ensure they are implemented correctly and are effective in protecting the organization.

In the next blog in this vulnerability management series, we will look at how to align vulnerability management goals to meet the organization’s business objectives, and present considerations for maturing vulnerability management processes into risk-based program strategy.

[post_title] => What Not to Do When Ingesting and Prioritizing Vulnerability Data for Remediation [post_excerpt] => I should have known better... It was too late; the scanner tool was on a mission to dump megabytes of data into a spreadsheet and there was nothing I could do to cancel it. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => what-not-to-do-when-ingesting-and-prioritizing-vulnerability-data-for-remediation [to_ping] => [pinged] => [post_modified] => 2021-04-14 07:01:49 [post_modified_gmt] => 2021-04-14 07:01:49 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=20478 [menu_order] => 89 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [8] => WP_Post Object ( [ID] => 20466 [post_author] => 71 [post_date] => 2020-11-24 07:00:05 [post_date_gmt] => 2020-11-24 07:00:05 [post_content] =>

Making its debut in 2018, the Ryuk ransomware strand has wreaked havoc on hundreds of businesses and is responsible for one-third of all ransomware attacks that took place in 2020. Now it is seemingly on a mission to infect healthcare organizations across the country, already having hit five major healthcare providers, disabling access to electronic health records (EHR), disrupting services, and putting sensitive patient data at risk.

The healthcare industry is surely bracing for what the U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning as, “an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” What can organizations do to preemptively protect themselves? Our recommendation:

  1. Analyze what makes the healthcare industry a key target for ransomware,
  2. Educate yourself to better understand Ryuk and TrickBot, and
  3. Implement proactive cyber security strategies to thwart ransomware attacks and minimize damage from an incident (we’ll get into this more later in this post).

We’ve pulled together this Guide to Ryuk as a resource to help organizations prevent future ransomware attacks and ultimately mitigate its impact on our nation’s healthcare systems.

Why are Healthcare Providers a Target for Ransomware?

Healthcare is widely known as an industry that has historically struggled to find a balance between the continuation of critical services and cyber security. To put this into perspective, doctors and physicians can’t stop everything and risk losing a life if their technology locks them out due to forgetting a recently changed password. So, security, while critically important in a healthcare environment, is more complex due to its “always on” operational structure.

We’ve seen a definite uptick in attention paid to security at healthcare organizations, but there’s much work to be done. The task of securing a healthcare systems is extremely challenging given its scale and complexity, consisting of many different systems and, with the addition of network-enabled devices, it becomes difficult for administrators to grasp the value of security relative to its costs.  In addition, third parties, such as medical device manufactures also play a role. Historically, devices in hospitals, clinics, and home-healthcare environments had no security controls, but there has been more of a focus on “security features” as connectivity (network, Bluetooth, etc.) has increased. Yet most healthcare networks are still rife with these sorts of devices that have minimal, if any, built-in security capabilities.

Healthcare is by no means the only target industry: any organization can fall victim to ransomware. Though, healthcare is a prime target for two reasons:

  • It’s a gold mine for sensitive data, including social security numbers, payment information, birth certificates, addresses, and more. While monetizing such data may require additional effort on the part of cybercriminals, breaches of such data is a major HIPAA compliance violation that can result in heavy fines and could also potentially have a negative impact to patients if their data is leaked.
  • The criticality of the business is as high-risk as it gets. In other words, hospitals cannot afford downtime. Add a public health pandemic to the mix and the criticality increases drastically.

This sense of urgency to get systems back up and running quickly is a central reason why Ryuk is targeting the industry now. Hospitals are more likely to pay a ransom due to the potential consequence downtime can have on the organization and its patients.

Ransomware, Ryuk, and TrickBot:

To understand Ryuk, it is important to first understand ransomware attacks at a fundamental level. Ransomware gains access to a system only after a trojan or ‘botnet’ finds a vulnerable target and gains access first. Trojans gain access often through phishing attempts (spam emails) with malicious links or attachments (the payload). If successful, the trojan installs malware onto the target’s network by sending a beacon signal to a command and control server controlled by the attacker, which then sends the ransomware package to the Trojan.

In Ryuk’s case, the trojan is TrickBot. In this case, a user clicks on a link or attachment in an email, which downloads the TrickBot Trojan to the user’s computer. TrickBot then sends a beacon signal to a command and control (C2) server the attacker controls, which then sends the Ryuk ransomware package to the victim’s computer.

Trojans can also gain access through other types of malware, unresolved vulnerabilities, and weak configuration, though, phishing is the most common attack vector. Further, TrickBot is a banking Trojan, so in addition to potentially locking up the network and holding it for ransom, it may also steal information before it installs the ransomware.

How does an organization know if they have fallen victim to ransomware, more specifically Ryuk? It will be obvious if Ryuk has successfully infiltrated a system. It will take over a desktop screen and a ransom note will appear with details on how to pay the ransom via bitcoin:

A screenshot of Ryuk’s ransom note.

An early warning sign of a ransomware attack is that at the technical level, your detective controls, if effective, should alert to Indicators of Compromise (IoC). Within CISA’s alert, you can find TrickBot IoCs listed along with a table of Ryuk’s MITRE ATT&K techniques.

A threat to the increasing remote workforce: In order to move laterally throughout the network undetected, Ryuk relies heavily on native tools, such as Windows Remote Management and Remote Desktop Protocol (RDP). Read: COVID-19: Evaluating Security Implications of the Decisions Made to Enable a Remote Workforce

Implementing Proactive Cyber Security Strategies to Thwart Ransomware Attacks

We mentioned at the start of this post that one of the things organizations can do preemptively to protect themselves is to put in place proactive security strategies. While important, security awareness only goes so far, as humans continue to be the greatest cyber security vulnerability. Consider this: In past NetSPI engagements with employee phishing simulations, our click-rates, or fail-rates, were down to 8 percent. This is considered a success, but still leaves open opportunity for bad actors. It only takes one person to interact with a malicious attachment or link for a ransomware attack to be successful.

Therefore, we support defense-in-depth as the most comprehensive strategy to prevent or contain a malware outbreak. Here are four realistic defense-in-depth tactics to implement in the near- and long-term to prevent and mitigate ransomware threats, such as Ryuk:

  1. Revisit your disaster recovery and business continuity plan. Ensure you have routine and complete backups of all business-critical data at all times and that you have stand-by, or ‘hot,’ business-critical systems and applications (this is usually done via virtual computing). Perform table-top or live disaster recovery drills and validate that ransomware wouldn’t impact the integrity of backups.
  2. Separate critical data from desktops, avoid siloes: Ryuk, like many ransomware strands, attempts to delete backup files. Critical patient care data and systems should be on an entirely separate network from the desktop. This way, if ransomware targets the desktop network (the most likely scenario) it cannot spread to critical hospital systems. This is a long-term, and challenging, strategy, yet well worth the time and budgetary investment as the risk of critical data loss will always exist.
  3. Take inventory of the controls you have readily available – optimize endpoint controls: Assess your existing controls, notably email filtering and endpoint controls. Boost email filtering processes to ensure spam emails never make it to employee inboxes, mark incoming emails with a banner that notifies the user if the email comes from an external source, and give people the capability to easily report suspected emails. Endpoint controls are essential in identifying and preventing malware. Here are six recommendations for optimizing endpoint controls:
    1. Confirm Local Administrator accounts are strictly locked down and the passwords are complex. Ensure Domain Administrator and other privileged accounts are not used for routine work, but only for those tasks that require admin access.
    2. Enable endpoint detection and response (EDR) capabilities on all laptops and desktops.
    3. Ensure that every asset that can accommodate anti-malware has it installed, including servers.
    4. Apply all security patches for all software on all devices. Disable all RDP protocol access from the Internet to any perimeter or internal network asset (no exceptions). 
  1. Test your detective controls, network, and workstations:
    1. Detective control testing with adversarial simulation: Engage in a purple team exercise to determine if your detective controls are working as designed. Are you able to detect and respond to malicious activity on your network?
    2. Host-based penetration testing: Audit the build of your workstations to validate that the user does have least privilege and can only perform business tasks that are appropriate for that individual’s position.
    3. Internal network penetration testing: Identify high impact vulnerabilities found in systems, web applications, Active Directory configurations, network protocol configurations, and password management policies. Internal network penetration tests also often include network segmentation testing to determine if the controls isolating your crown jewels are sufficient.

Finally, organizations that end up a victim to ransomware have three options to regain control of their systems and data.

  • Best option: Put disaster recovery and business continuity plans in motion to restore systems. Also, perform an analysis to determine the successful attack vector and remediate associated vulnerabilities.
  • Not advised: Pay the ransom. A quick way to get your systems back up and running, but not advised. There is no guarantee that your business will be unlocked (in fact, the offer may also be ransomware), so in effect you are funding adversarial activities and it’s likely they will target your organization again.
  • Rare cases: Cracking the encryption key, while possible with immature ransomware groups, is often unlikely to be successful. Encryption keys have become more advanced and require valuable time to find a solution.

For those that have yet to experience a ransomware attack, we encourage you to use the recent Ryuk news as a jumping point to future-proof your security processes and prepare for the inevitability of a breach. And for those that have, now is the time to reevaluate your security protocols.

[post_title] => Healthcare’s Guide to Ryuk Ransomware: Advice for Prevention and Remediation [post_excerpt] => Making its debut in 2018, the Ryuk ransomware strand has wreaked havoc on hundreds of businesses and is responsible for one-third of all ransomware attacks that took place in 2020. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => healthcares-guide-to-ryuk-ransomware-advice-for-prevention-and-remediation [to_ping] => [pinged] => [post_modified] => 2021-05-04 17:06:19 [post_modified_gmt] => 2021-05-04 17:06:19 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=20466 [menu_order] => 90 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 9 [current_post] => -1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 26220 [post_author] => 71 [post_date] => 2021-08-17 15:48:00 [post_date_gmt] => 2021-08-17 20:48:00 [post_content] =>

NetSPI managing director Florindo Gallicchio wrote an article that was featured in the August 2021 issue of Cyber Defense Magazine:

There’s no doubt about it: attack surfaces grow and evolve around the clock. With network configurations, new tools and applications, and third-party integrations coming online constantly, an atmosphere is being created that opens the possibility of unidentified security gaps. The fact is that cyberattacks can affect your business and are, unfortunately, more prevalent than natural disasters and extreme weather events. And we know from our own NetSPI research that nearly 70 percent of security leaders are concerned about network vulnerabilities after implementing new security tools.

Prevention is key to a mature cybersecurity program. In fact, according to a recent Ponemon Institute study, when cybersecurity attacks are prevented, organizations can save resources, costs, damages, time, and reputation. Yet, companies still may think they are protected by buying the latest cybersecurity technologies or just by working to change team behaviors that pose the most risk (i.e., using stronger passwords, avoiding phishing scams, etc.). While there is a place in a security program for these and other security measures, time and budget constraints create major barriers. Therefore, it is critical that an organization’s vulnerability management program is strongly built on a strategy that is risk-based and business aligned.

Florindo's article can be found on pg. 74 of the August Issue of Cyber Defense Magazine. Download the issue online here: https://cyberdefensemagazine.tradepub.com/free/w_cyba125/.

[post_title] => Cyber Defense Magazine: Align Business Logic with Vulnerability Management to Mature Your Security Program [post_excerpt] => NetSPI managing director Florindo Gallichio wrote an article that was featured in the August 2021 issue of Cyber Defense Magazine. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cyber-defense-magazine-align-business-logic-with-vulnerability-management-to-mature-your-security-program [to_ping] => [pinged] => [post_modified] => 2021-08-18 12:06:04 [post_modified_gmt] => 2021-08-18 17:06:04 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26220 [menu_order] => 8 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 9 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => e7c1154c6386ed12267d19214606c62b [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )

Is your organization prepared for a ransomware attack? Explore our Ransomware Attack Simulation service.

X